Skip to content

[MATRIX-1193] Add username/password option for elastic self hosted #3215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AitorAlgorta wants to merge 8 commits into
base: main
Choose a base branch
from
Open

[MATRIX-1193] Add username/password option for elastic self hosted #3215

AitorAlgorta wants to merge 8 commits into from

Conversation

@AitorAlgorta
Copy link
Member

@AitorAlgorta AitorAlgorta commented Oct 30, 2025
edited
Loading

Release Notes

New Features

  • Added support for username/password authentication for Elastic connections in confluent flink connection create and confluent flink connection update commands. Users can now authenticate with Elastic using either --api-key or --username/--password flags.

Checklist

  • I have successfully built and used a custom CLI binary, without linter issues from this PR.
  • I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
  • I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
  • I have verified this PR in Confluent Platform on-premises environment, if applicable.
  • I have attached manual CLI verification results or screenshots in the Test & Review section below.
  • I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
  • I confirm that this PR introduces no breaking changes or backward compatibility issues.
  • I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
  • I have put checkmarks below confirming that the feature associated with this PR is enabled in:
    • Confluent Cloud prod
    • Confluent Cloud stag
    • Confluent Platform

What

This PR adds support for username/password (Basic Auth) as an alternative authentication method for Elastic connections in Confluent Cloud Flink.

Problem: Previously, Elastic connections only supported API key authentication. Some users prefer or require username/password authentication for their Elastic deployments.

Solution:

  • Added username and password to the allowed secrets for the elastic connection type
  • Added elastic to the username/password type mappings (alongside rest, mcp_server, and a2a)
  • Implemented mutually exclusive validation: users must provide either --api-key OR both --username and --password, but not both authentication methods
  • The CLI automatically sets AUTH_TYPE: "BASIC" when username/password is used, or AUTH_TYPE: "API_KEY" when api-key is used

Applies to: Confluent Cloud only

Blast Radius

  • Low risk. This is an additive feature that adds a new authentication option for Elastic connections.
  • Existing Elastic connections using --api-key are unaffected; the API key authentication path remains unchanged.
  • If the backend Flink Gateway does not support username/password for Elastic, the CLI will successfully send the request but the backend will return an appropriate error.

References

  • Flink Gateway backend changes for Elastic Basic Auth support

Test & Review

CLI Integration Tests Added:

  • create-elastic-no-secret.golden - Tests error when no secrets provided for elastic
  • create-elastic-mutually-exclusive-secret.golden - Tests error when both api-key and username are provided
  • create-elastic-missing-required-secret.golden - Tests error when username provided without password

Manual Verification - Elastic CREATE connection with username/password:

./dist/confluent_darwin_arm64/confluent flink connection create test-elastic \
  --cloud aws \
  --region us-west-2 \
  --type elastic \
  --endpoint https://my-elastic.example.com:9200 \
  --username elastic \
  --password mySecretPassword123
No Flink endpoint is specified, defaulting to public endpoint: `https://flink.us-west-2.aws.devel.cpdev.cloud`
+---------------+-------------------------------------+
| Creation Date | 2025-12-19 10:56:38.559965          |
|               | +0000 UTC                           |
| Name          | test-elastic                        |
| Environment   | env-devcxk85zg                      |
| Cloud         | aws                                 |
| Region        | us-west-2                           |
| Type          | ELASTIC                             |
| Endpoint      | https://my-elastic.example.com:9200 |
| Data          | <REDACTED>                          |
| Status        |                                     |
+---------------+-------------------------------------+

Manual Verification - Elastic EDIT connection with username/password:

./dist/confluent_darwin_arm64/confluent flink connection update test-elastic \
  --cloud aws \
  --region us-west-2 \
  --username elastic \
  --password myOtherSecretPassword123
No Flink endpoint is specified, defaulting to public endpoint: `https://flink.us-west-2.aws.devel.cpdev.cloud`
+---------------+-------------------------------------+
| Creation Date | 2025-12-19 14:04:41.666412          |
|               | +0000 UTC                           |
| Name          | test-elastic                        |
| Environment   | env-devcxk85zg                      |
| Cloud         | aws                                 |
| Region        | us-west-2                           |
| Type          | ELASTIC                             |
| Endpoint      | https://my-elastic.example.com:9200 |
| Data          | <REDACTED>                          |
| Status        |                                     |
+---------------+-------------------------------------+

@confluent-cla-assistant
Copy link

confluent-cla-assistant bot commented Oct 30, 2025

🎉 All Contributor License Agreements have been signed. Ready to merge.
Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.

@airlock-confluentinc airlock-confluentinc bot force-pushed the MATRIX-1193 branch 2 times, most recently from b87b129 to f8b5c45 Compare November 3, 2025 14:17
@sonarqube-confluent
Copy link

sonarqube-confluent bot commented Nov 3, 2025

Quality Gate failed Quality Gate failed

Failed conditions
1 New issue

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE SonarQube for IDE

@sonarqube-confluent
Copy link

sonarqube-confluent bot commented Jan 7, 2026

Quality Gate passed Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@AitorAlgorta AitorAlgorta marked this pull request as ready for review January 7, 2026 17:07
@AitorAlgorta AitorAlgorta requested a review from a team as a code owner January 7, 2026 17:07
lihaosky
lihaosky approved these changes Jan 8, 2026
View reviewed changes
Copy link
Member

@lihaosky lihaosky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lihaosky lihaosky lihaosky approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AitorAlgorta @lihaosky